U.S. Government Accountability Office Independent Auditor's Report

APPENDIX III

Other Material Weaknesses

Material weaknesses in internal control discussed in this report resulted in ineffective controls
over financial reporting. In addition to the material weaknesses discussed in appendix II that
contributed to our disclaimer of opinion on the accrual-based consolidated financial statements,
we found the following four other material weaknesses in internal control.

Improper Payments

Reducing improper payments is critical to safeguarding federal funds.44 During fiscal year 2012,
the federal government continued to make progress in identifying and reporting on improper
payments. Entities reported improper payment estimates for nine additional programs when
compared to fiscal year 2011.45 Most notably, the Department of Health and Human Services
(HHS) reported an estimated improper payment amount for the Children’s Health Insurance
Program of $704 million. Nevertheless, the federal government continues to face challenges in
determining the full extent of improper payments. For example, four federal entities did not
report fiscal year 2012 estimated improper payment amounts for 10 risk-susceptible programs,
including HHS’s Temporary Assistance for Needy Families. The Improper Payments Information
Act of 2002 (IPIA), as amended by the Improper Payments Elimination and Recovery Act of
2010 (IPERA),46 requires federal executive branch entities to (1) review all programs and
activities, (2) identify those that may be susceptible to significant improper payments, (3) estimate
the annual amount of improper payments for those programs and activities, (4) implement
actions to reduce improper payments and set reduction targets, and (5) report on the results of
addressing the foregoing requirements. IPERA also established a requirement for entity
inspectors general to report annually on entities’ compliance, as defined in IPERA. In March
2012, the inspectors general began issuing their reports under this requirement covering fiscal
year 2011. The reports identified issues such as improper risk assessment methods used by
entities to identify programs and activities susceptible to significant improper payments,
estimates not being reported for susceptible programs, and improper payment reduction targets
not being set.

The Office of Management and Budget (OMB) reported total federal entity improper payment
estimates of $107.7 billion in fiscal year 2012. This is a decrease from the prior year revised
estimate of $115.7 billion as reported by federal entities.47 These estimates represented about
4.4 percent and 4.7 percent of reported outlays for the associated programs in fiscal years 2012
and 2011, respectively. Decreases in reported estimates of improper payments were mostly
attributable to four major programs: the decreases for the Department of Labor’s Unemployment
Insurance and the Department of the Treasury’s Earned Income Tax Credit programs were
attributable to decreases in reported outlays, and the decreases for HHS’s Medicaid and the
Social Security Administration’s Old-Age, Survivors, and Disability Insurance programs were
attributable to decreases in reported error rates.48 It is important to note that, pursuant to OMB
implementing guidance, reported improper payment estimates include overpayments,
underpayments, and payments for which adequate documentation was not found, and may also
include amounts of payments for years prior to the current fiscal year.

In addition to the issues reported by entity inspectors general as noted above, entity auditors
continued to report internal control deficiencies over financial reporting, such as financial system
limitations and information system control weaknesses, which significantly increase the risk that
improper payments may occur and not be detected promptly.

Until the federal government has implemented effective processes to determine the full extent to
which improper payments occur and appropriate actions are taken across entities and programs
to effectively reduce improper payments, the federal government will not have reasonable
assurance that the use of federal funds is adequately safeguarded.

Information Security

Although progress has been made, serious and widespread information security control
deficiencies reported during fiscal year 2012 continue to place federal assets at risk of
inadvertent or deliberate misuse, financial information at risk of unauthorized modification or
destruction, sensitive information at risk of inappropriate disclosure, and critical operations at
risk of disruption. Specifically, control deficiencies were identified related to (1) security
management; (2) access to computer resources (data, equipment, and facilities); (3) changes to
information system resources; (4) segregation of incompatible duties; and (5) contingency
planning. We have reported information security as a high-risk area across government since
February 1997.

Such information security control deficiencies unnecessarily increase the risk that data recorded
in or transmitted by federal financial management systems are not reliable and available. A
primary reason for these deficiencies is that federal entities generally have not yet fully
institutionalized comprehensive security management programs, which are critical to identifying
information security control deficiencies, resolving information security problems, and managing
information security risks on an ongoing basis. The federal government has taken important
actions to improve information security, such as enhancing performance measures and reporting processes necessary for monitoring and assessing the effectiveness of agenciesí
information security programs. In addition, the administration established goals to achieve, by
the end of fiscal year 2014, 95 percent use of (1) trusted Internet connections to consolidate
external telecommunication access points; (2) continuous monitoring of federal information
systems; and (3) strong authentication through the increased use of federal smart card
credentials, such as Personal Identity Verification and Common Access Cards. Until entities
identify and resolve information security control deficiencies and manage information security
risks on an ongoing basis, federal data and systems, including financial information, will remain
at risk.

Tax Collection Activities

During fiscal year 2012, a material weakness continued to affect the federal government's ability
to effectively manage its tax collection activities. Due to financial system limitations, as well as
errors and delays in recording taxpayer information, the federal government’s records did not
always reflect the correct amount of taxes owed by the public to the federal government. Such
errors and delays may cause undue burden and frustration to taxpayers who either have
already paid taxes owed or who owe significantly lower amounts. Collectively, these deficiencies
indicate that internal controls were not effective in (1) ensuring that reported amounts of taxes
receivable and other tax assessments were accurate on an ongoing basis and could be relied
upon by management as a tool to aid in making and supporting resource allocation decisions
and (2) supporting timely and reliable financial statements, accompanying notes, and required
supplementary information and other information without extensive supplemental procedures
and adjustments.

Loans Receivable and Loan Guarantee Liabilities

Internal control deficiencies were identified at certain federal entities that accounted for the
majority of the reported balances for loans receivable and loan guarantee liabilities. The
deficiencies related to monitoring and reporting loan and loan-related activity, and to credit
subsidy estimation and related financial reporting processes. In fiscal year 2012, the
Department of Education, which accounted for the largest reported balance of loans receivable,
experienced internal control deficiencies related to the implementation of new debt management
collection and direct loan servicing systems. The departmentís deficiencies affected, among
other things, its ability to process certain types of transactions, prepare certain system
reconciliations in a timely manner, and properly report interest accruals.

Such deficiencies and issues, and complexities associated with estimating the costs of lending
and other loan-related financing activities, significantly increase the risk that misstatements in
entity and government-wide financial statements could occur and go undetected. Further,
control deficiencies related to estimating the costs of lending and other loan-related financing
activities can adversely affect the federal governmentís ability to support annual budget
requests for these programs, make future budgetary decisions, manage program costs, and
measure the performance of lending activities.

Footnotes

44Under the Improper Payments Information Act of 2002, as amended, improper payments are statutorily defined as
any payment that should not have been made or that was made in an incorrect amount (including overpayments and
underpayments) under statutory, contractual, administrative, or other legally applicable requirements. It includes any
payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment
for a good or service not received (except for such payments where authorized by law), and any payment that does
not account for credit for applicable discounts. (Back to Content)

45Of the nine programs, the Office of Management and Budget (OMB) excluded four programs from its governmentwide
totals because those programs did not have OMB-approved sampling methodologies for estimating improper
payments. (Back to Content)

46IPIA, Pub. L. No. 107-300, 116 Stat. 2350 (Nov. 26, 2002), as amended by IPERA, Pub. L. No. 111-204, 124 Stat.
2224 (July 22, 2010), and reprinted in 31 U.S.C. 3321 note. As of the date of this report, H.R. 4053, the Improper
Payments Elimination and Recovery Improvement Act of 2012, was awaiting the Presidentís signature. The Act would
require federal entities to take additional steps to identify and prevent improper payments. The Act would enact into
law elements of the Presidentís ďDo Not Pay ListĒ initiative by requiring entities to review prepayment and pre-award
procedures and ensure a thorough review of available databases to determine program or award eligibility before the
release of any federal funds. The Act would also direct OMB to annually identify a list of high-priority federal programs
for greater levels of oversight and review and would require each entity responsible for one of these high-priority
programs to annually submit a program report to its inspector general and make a report copy available to the public. (Back to Content)

47In their fiscal year 2012 Performance and Accountability Reports (PAR) and Annual Financial Reports (AFR), three
federal entities updated their fiscal year 2011 improper payment estimates to reflect changes since issuance of their
fiscal year 2011 PARs and AFRs. These updates increased the government-wide improper payment estimate for
fiscal year 2011 from $115.3 billion to $115.7 billion. (Back to Content)

48Reported error rates reflect the estimated improper payments as a percentage of total program outlays. (Back to Content)